Method for controlled and audited access to privileged accounts on computer systems Patent Grant Narayanan May 20, 2 [JP Morgan Chase Bank]

Method for controlled and audited access to privileged accounts on computer systems

Narayanan May 20, 2

Patent Grant 7376838

U.S. patent number 7,376,838 [Application Number 10/680,400] was granted by the patent office on 2008-05-20 for method for controlled and audited access to privileged accounts on computer systems. This patent grant is currently assigned to JP Morgan Chase Bank. Invention is credited to Lakshmi Narayanan.

United States Patent	7,376,838
Narayanan	May 20, 2008

**Please see images for: ( Certificate of Correction ) **

Method for controlled and audited access to privileged accounts on computer systems

Abstract

A method that provides access to Privileged Accounts to users with Privileged Account access permission. A message is sent to a Privileged Accounts manager when a user logs into a Privileged Account. The user must enter a reason for access. All keystrokes are logged. At the conclusion of the user session, the log file is closed and another message is sent to the Privileged Accounts manager. The log file may be sent to the manager at this time or saved for a batch transfer periodically.

Inventors:	Narayanan; Lakshmi (New York, NY)
Assignee:	JP Morgan Chase Bank (New York, NY)
Family ID:	34068378
Appl. No.:	10/680,400
Filed:	October 7, 2003

Prior Publication Data


	Document Identifier	Publication Date
	US 20050015628 A1	Jan 20, 2005

Related U.S. Patent Documents


Application Number	Filing Date	Patent Number	Issue Date
60487995	Jul 17, 2003

Current U.S. Class:	713/183; 705/40; 705/42; 705/68; 705/70; 705/75; 705/78; 713/164; 713/165; 713/193; 713/194; 726/1; 726/2; 726/22; 726/3; 726/4; 726/6
Current CPC Class:	G06F 21/31 (20130101); G06Q 20/0855 (20130101); G06Q 20/102 (20130101); G06Q 20/108 (20130101); G06Q 20/3676 (20130101); G06Q 20/401 (20130101)
Current International Class:	G06F 9/00 (20060101); H04L 9/00 (20060101)
Field of Search:	;713/193,194 ;726/2 ;705/35

References Cited [Referenced By]

U.S. Patent Documents


3705385	December 1972	Batz
3860870	January 1975	Furuya
3896266	July 1975	Waterbury
3938091	February 1976	Atalla et al.
4013962	March 1977	Beseke et al.
4321672	March 1982	Braun et al.
4567359	January 1986	Lockwood
4633397	December 1986	Macco
4695880	September 1987	Johnson et al.
4696491	September 1987	Stenger
4713761	December 1987	Sharpe et al.
4725719	February 1988	Oncken et al.
4745468	May 1988	Von Kohorn
4799156	January 1989	Shavit
4801787	January 1989	Suzuki
4823264	April 1989	Deming
4882675	November 1989	Nichtberger et al.
4926255	May 1990	Von Kohorn
4941090	July 1990	McCarthy
4964043	October 1990	Galvin
4992940	February 1991	Dworkin
5016270	May 1991	Katz
5032979	July 1991	Hecht et al.
5050207	September 1991	Hitchcock
5084816	January 1992	Boese
5117355	May 1992	McCarthy
5157717	October 1992	Hitchcock
5189606	February 1993	Burns et al.
5202826	April 1993	McCarthy
5233654	August 1993	Harvey et al.
5235509	August 1993	Mueller et al.
5241594	August 1993	Kung
5265033	November 1993	Vajk
5287268	February 1994	McCarthy
5297026	March 1994	Hoffman
5317683	May 1994	Hager et al.
5321841	June 1994	East
5351186	September 1994	Bullock
5381332	January 1995	Wood
5412708	May 1995	Katz
5420405	May 1995	Chasek
5446740	August 1995	Yien
5450134	September 1995	Legate
5450537	September 1995	Hirai et al.
5465206	November 1995	Hilt et al.
5467269	November 1995	Flaten
5473143	December 1995	Vak
5473732	December 1995	Change
5479530	December 1995	Nair et al.
5511117	April 1996	Zazzera
5513102	April 1996	Auriemma
5532920	July 1996	Hartrick
5534855	July 1996	Shockley et al.
5537314	July 1996	Kanter
5537473	July 1996	Saward
5544086	August 1996	Davis et al.
5551021	August 1996	Harada
5557334	September 1996	Legate
5557518	September 1996	Rosen
5560008	September 1996	Johnson et al.
5568489	October 1996	Yien
5570295	October 1996	Isenberg
5570465	October 1996	Tsakanikas
5576951	November 1996	Lockwood
5583778	December 1996	Wind
5590199	December 1996	Krajewski et al.
5592378	January 1997	Cameron
5592553	January 1997	Guski et al.
5592560	January 1997	Deaton et al.
5594837	January 1997	Noyes
5598557	January 1997	Doner
5602936	February 1997	Lynn
5603025	February 1997	Tabb
5604490	February 1997	Blakley et al.
5606496	February 1997	D'Agostino
5611052	March 1997	Dykstra
5621201	April 1997	Langhans
5621789	April 1997	McCalmont
5621812	April 1997	Deaton et al.
5625767	April 1997	Bartell
5634101	May 1997	Blau
5638457	June 1997	Deaton et al.
5640577	June 1997	Scharmer
5642419	June 1997	Rosen
5644493	July 1997	Motai
5653914	August 1997	Holmes et al.
5657383	August 1997	Gerber
5659165	August 1997	Jennings
5661807	August 1997	Guski et al.
5664115	September 1997	Fraser
5666493	September 1997	Wojcik et al.
5671285	September 1997	Newman
5675637	October 1997	Szlam et al.
5675662	October 1997	Deaton et al.
5677955	October 1997	Doggett et al.
5678046	October 1997	Cahill et al.
5682524	October 1997	Freund
5684870	November 1997	Maloney
5687322	November 1997	Deaton et al.
5689100	November 1997	Carrithers et al.
5692132	November 1997	Hogan
5699528	December 1997	Hogan
5703344	December 1997	Bezy et al.
5710886	January 1998	Christensen et al.
5710887	January 1998	Chelliah
5710889	January 1998	Clark et al.
5715298	February 1998	Rogers
5715314	February 1998	Payne
5715399	February 1998	Bezos
5715402	February 1998	Popolo
5715450	February 1998	Ambrose
5724424	March 1998	Gifford
5727163	March 1998	Bezos
5734838	March 1998	Robinson
5737414	April 1998	Walker et al.
5740231	April 1998	Cohn et al.
5754840	May 1998	Rivette
5758126	May 1998	Daniels et al.
5758328	May 1998	Giovannoli
5761288	June 1998	Gray
5761647	June 1998	Boushy
5761661	June 1998	Coussenns
5764789	June 1998	Pare et al.
5765141	June 1998	Spector
5765143	June 1998	Sheldon
5768382	June 1998	Schnier et al.
5774122	June 1998	Kojima
5778178	July 1998	Arunachalam
5781909	July 1998	Logan et al.
5784562	July 1998	Diener
5787403	July 1998	Randle
5787404	July 1998	Fernandez-Holman
5790650	August 1998	Dunn
5790785	August 1998	Klug et al.
5793861	August 1998	Haigh
5794178	August 1998	Caid
5794207	August 1998	Walker
5794259	August 1998	Kikinis
5796395	August 1998	De Hond
5797127	August 1998	Walker et al.
5798508	August 1998	Walker et al.
5802498	September 1998	Comesanas
5802502	September 1998	Gell
5805719	September 1998	Pare et al.
5815657	September 1998	Williams et al.
5815665	September 1998	Teper et al.
5815683	September 1998	Vogler
5818936	October 1998	Moshayekhi
5819092	October 1998	Ferguson
5819285	October 1998	Damico
5825863	October 1998	Walker
5825870	October 1998	Miloslavsky
5826241	October 1998	Stein
5826245	October 1998	Sandberg-Diment
5826250	October 1998	Trefler
5828734	October 1998	Katz
5828751	October 1998	Walker et al.
5828812	October 1998	Khan et al.
5828833	October 1998	Belville et al.
5832211	November 1998	Blakley, III et al.
5832460	November 1998	Bednar
5832476	November 1998	Tada
5835580	November 1998	Fraser
5835603	November 1998	Coutts
5838903	November 1998	Blakely, III et al.
5838906	November 1998	Doyle
5842178	November 1998	Giovannoli
5842211	November 1998	Horadan
5844553	December 1998	Hao
5845259	December 1998	West et al.
5845260	December 1998	Nakano et al.
5847709	December 1998	Card
5848400	December 1998	Chang
5848427	December 1998	Hyodo
5852812	December 1998	Reeder
5857079	January 1999	Claus et al.
5862223	January 1999	Walker
5862323	January 1999	Blakely, III et al.
5864830	January 1999	Armetta et al.
RE36116	February 1999	McCarthy
5866889	February 1999	Weiss et al.
5870718	February 1999	Spector
5870725	February 1999	Belinger
5871398	February 1999	Schneier et al.
5873072	February 1999	Kight
5873096	February 1999	Lim
5880769	March 1999	Nemirofsky
5884032	March 1999	Bateman
5884270	March 1999	Walker et al.
5884272	March 1999	Walker et al.
5884274	March 1999	Walker et al.
5884288	March 1999	Chang
5889863	March 1999	Weber
5892900	April 1999	Ginter et al.
5898780	April 1999	Liu et al.
5899982	May 1999	Randle
5903881	May 1999	Schrader
5909486	June 1999	Walker et al.
5910988	June 1999	Ballard
5913202	June 1999	Motoyama
5914472	June 1999	Foladare et al.
5915244	June 1999	Jack et al.
5918214	June 1999	Perkowski
5918217	June 1999	Maggioncalda
5918239	June 1999	Allen et al.
5920847	July 1999	Kolling et al.
5921864	July 1999	Walker et al.
5923763	July 1999	Walker et al.
5926796	July 1999	Walker et al.
5926812	July 1999	Hilsenrath
5930764	July 1999	Melchione
5933816	August 1999	Zeanah
5933817	August 1999	Hucal
5933823	August 1999	Cullen
5933827	August 1999	Cole
5940812	August 1999	Tengel et al.
5943656	August 1999	Crooks
5944824	August 1999	He
5945653	August 1999	Walker et al.
5946388	August 1999	Walker et al.
5947747	September 1999	Walker et al.
5949044	September 1999	Walker et al.
5949875	September 1999	Walker et al.
5950173	September 1999	Perkowski
5950174	September 1999	Brendzel
5950206	September 1999	Krause
5952639	September 1999	Ohki
5952641	September 1999	Korshun
5953710	September 1999	Fleming
5956695	September 1999	Carrithers et al.
5958007	September 1999	Lee et al.
5960411	September 1999	Hartman et al.
5961593	October 1999	Gabber et al.
5963635	October 1999	Szlam et al.
5963925	October 1999	Kolling et al.
5963952	October 1999	Smith
5963953	October 1999	Cram et al.
5966695	October 1999	Melchione et al.
5966699	October 1999	Zandi
5967896	October 1999	Jorasch et al.
5969318	October 1999	Mackenthun
5970143	October 1999	Schneier et al.
5970470	October 1999	Walker et al.
5970478	October 1999	Walker et al.
5970482	October 1999	Pham
5970483	October 1999	Evans
5978467	November 1999	Walker et al.
5983196	November 1999	Wendkos
5987434	November 1999	Libman
5987454	November 1999	Hobbs
5987498	November 1999	Athing et al.
5991736	November 1999	Ferguson et al.
5991738	November 1999	Ogram
5991748	November 1999	Taskett
5991751	November 1999	Rivette et al.
5991780	November 1999	Rivette
5995948	November 1999	Whitford
5995976	November 1999	Walker et al.
5999596	December 1999	Walker et al.
5999907	December 1999	Donner
6000033	December 1999	Kelly et al.
6001016	December 1999	Walker et al.
6003762	December 1999	Hayashida
6005939	December 1999	Fortenberry et al.
6006205	December 1999	Loeb et al.
6006249	December 1999	Leong
6009415	December 1999	Shurling et al.
6009442	December 1999	Chen et al.
6010404	January 2000	Walker et al.
6012088	January 2000	Li et al.
6012983	January 2000	Walker et al.
6014439	January 2000	Walker et al.
6014635	January 2000	Harris et al.
6014636	January 2000	Reeder
6014638	January 2000	Burge et al.
6014641	January 2000	Loeb et al.
6014645	January 2000	Cunningham
6016476	January 2000	Maes et al.
6016810	January 2000	Ravenscroft
6018714	January 2000	Risen, Jr.
6018718	January 2000	Walker et al.
6024640	February 2000	Walker et al.
6026398	February 2000	Brown et al.
6026429	February 2000	Jones et al.
6032134	February 2000	Weissman
6032147	February 2000	Williams et al.
6038547	March 2000	Casto
6038552	March 2000	Fleischl et al.
6042006	March 2000	Van Tilburg et al.
6044362	March 2000	Neely
6045039	April 2000	Stinson et al.
6049778	April 2000	Walker et al.
6049782	April 2000	Gottesman et al.
6049835	April 2000	Gagnon
6055637	April 2000	Hudson et al.
6061665	May 2000	Bahreman
6064987	May 2000	Walker et al.
6065120	May 2000	Laursen et al.
6065675	May 2000	Teicher
6070147	May 2000	Harms et al.
6070153	May 2000	Simpson
6070244	May 2000	Orchier et al.
6073105	June 2000	Sutcliffe et al.
6073113	June 2000	Guinan
6075519	June 2000	Okatani et al.
6076072	June 2000	Libman
6081790	June 2000	Rosen
6081810	June 2000	Rosenzweig et al.
6081900	June 2000	Subramaniam et al.
6085168	July 2000	Mori et al.
6088444	July 2000	Walker et al.
6088451	July 2000	He et al.
6088683	July 2000	Jalili
6088686	July 2000	Walker et al.
6088700	July 2000	Larsen et al.
6091817	July 2000	Bertina et al.
6092192	July 2000	Kanevsky et al.
6092196	July 2000	Reiche
6095412	August 2000	Bertina et al.
6098070	August 2000	Maxwell
6101486	August 2000	Roberts et al.
6104716	August 2000	Crichton et al.
6105012	August 2000	Chang et al.
6105865	August 2000	Hardesty
6111858	August 2000	Greaves et al.
6112181	August 2000	Shear et al.
6115690	September 2000	Wong
6119093	September 2000	Walker et al.
6119099	September 2000	Walker et al.
6128599	October 2000	Walker et al.
6128602	October 2000	Northington et al.
6131810	October 2000	Weiss et al.
6134549	October 2000	Regnier et al.
6134592	October 2000	Montulli
6135349	October 2000	Zirkel
6138106	October 2000	Walker et al.
6138118	October 2000	Koppstein et al.
6141651	October 2000	Riley et al.
6141666	October 2000	Tobin
6144946	November 2000	Iwamura
6144948	November 2000	Walker et al.
6145086	November 2000	Bellemore et al.
6148293	November 2000	King
6151584	November 2000	Papierniak et al.
6154750	November 2000	Roberge et al.
6154879	November 2000	Pare et al.
6161182	December 2000	Nadooshan
6164533	December 2000	Barton
6170011	January 2001	Beck et al.
6178511	January 2001	Cohen et al.
6182052	January 2001	Fulton et al.
6182142	January 2001	Win et al.
6182220	January 2001	Chen et al.
6182225	January 2001	Hagiuda et al.
6185242	February 2001	Arthur et al.
6189029	February 2001	Fuerst
6192361	February 2001	Huang
6195644	February 2001	Bowie
6199077	March 2001	Inala et al.
6201948	March 2001	Cook et al.
6202005	March 2001	Mahaffey
6202054	March 2001	Lawlor et al.
6202151	March 2001	Musgrave et al.
6202158	March 2001	Urano et al.
6208978	March 2001	Walker et al.
6208984	March 2001	Rosenthal
6216115	April 2001	Barrameda et al.
6219639	April 2001	Bakis et al.
6219706	April 2001	Fan
6222914	April 2001	McMullin
6226623	May 2001	Schein et al.
6226679	May 2001	Gupta
6226752	May 2001	Gupta et al.
6227447	May 2001	Campisano
6230148	May 2001	Pare et al.
6243688	June 2001	Kalina
6243816	June 2001	Fang et al.
6253327	June 2001	Zhang et al.
6253328	June 2001	Smith, Jr.
6256664	July 2001	Donoho et al.
6260026	July 2001	Tomida et al.
6266648	July 2001	Baker, III
6266683	July 2001	Yehuda et al.
6267292	July 2001	Walker et al.
6269348	July 2001	Pare et al.
6275944	August 2001	Kao et al.
6289322	September 2001	Kitchen et al.
6298330	October 2001	Gardenswartz et al.
6298356	October 2001	Jawahar et al.
6301567	October 2001	Leong et al.
6308273	October 2001	Goertzel et al.
6308274	October 2001	Swift
6311275	October 2001	Jin et al.
6317834	November 2001	Gennaro et al.
6317838	November 2001	Baize
6324524	November 2001	Lent et al.
6327573	December 2001	Walker et al.
6327578	December 2001	Linehan
6332192	December 2001	Boroditisky et al.
6336104	January 2002	Walker et al.
6343279	January 2002	Bissonette et al.
6345261	February 2002	Feidelson
6349242	February 2002	Mahaffey
6349336	February 2002	Sit et al.
6363381	March 2002	Lee et al.
6385591	May 2002	Mankoff
6385652	May 2002	Brown et al.
6401125	June 2002	Makarios et al.
6401211	June 2002	Brezak, Jr. et al.
6408389	June 2002	Grawrock et al.
6411933	June 2002	Maes et al.
6418457	July 2002	Schmidt et al.
6438594	August 2002	Bowman-Amuah
6438666	August 2002	Cassagnol et al.
6449765	September 2002	Ballard
6453353	September 2002	Win et al.
6460141	October 2002	Olden
6487641	November 2002	Cusson et al.
6493677	December 2002	von Rosen et al.
6493685	December 2002	Ensel et al.
6496855	December 2002	Hunt et al.
6496936	December 2002	French et al.
6507912	January 2003	Matyas, Jr. et al.
6510523	January 2003	Perlman et al.
6526404	February 2003	Slater et al.
6532284	March 2003	Walker et al.
6535855	March 2003	Cahill et al.
6535917	March 2003	Zamanzadeh et al.
6535980	March 2003	Kumar et al.
6539424	March 2003	Dutta
6557039	April 2003	Leong et al.
6574348	June 2003	Venkatesan et al.
6580814	June 2003	Ittycheriah et al.
6581040	June 2003	Wright et al.
6584505	June 2003	Howard et al.
6584508	June 2003	Epstein et al.
6589291	July 2003	Boag et al.
6592044	July 2003	Wong et al.
6609106	August 2003	Robertson
6609113	August 2003	O'Leary et al.
6609125	August 2003	Layne et al.
6609198	August 2003	Wood et al.
6609654	August 2003	Anderson et al.
6618579	September 2003	Smith et al.
6618806	September 2003	Brown et al.
6623415	September 2003	Gates et al.
6640302	October 2003	Subramaniam et al.
6647400	November 2003	Moran
6668322	December 2003	Wood et al.
6675261	January 2004	Shandony
6684384	January 2004	Bickerton et al.
6687222	February 2004	Albert et al.
6687245	February 2004	Fangman et al.
6697947	February 2004	Matyas, Jr. et al.
6714987	March 2004	Amin et al.
6718482	April 2004	Sato et al.
6718535	April 2004	Underwood
6725269	April 2004	Megiddo
6735695	May 2004	Gopalakrishnan et al.
6738779	May 2004	Shapira
6751654	June 2004	Massarani et al.
6754833	June 2004	Black et al.
6755341	June 2004	Wong et al.
6766370	July 2004	Glommen et al.
6769605	August 2004	Magness
6772146	August 2004	Khemlani et al.
6785810	August 2004	Lirov et al.
6789115	September 2004	Singer et al.
6805288	October 2004	Routhenstein et al.
6810395	October 2004	Bharat
6819219	November 2004	Bolle et al.
6820202	November 2004	Wheeler et al.
6826696	November 2004	Chawla et al.
6832202	December 2004	Schuyler et al.
6847991	January 2005	Kurapati
6856970	February 2005	Campbell et al.
6892231	May 2005	Jager
6907566	June 2005	McElfresh et al.
6925481	August 2005	Singhal et al.
6934848	August 2005	King et al.
6938158	August 2005	Azuma
6950936	September 2005	Subramaniam et al.
6957337	October 2005	Chainer et al.
6965939	November 2005	Cuomo et al.
6976164	December 2005	King et al.
6980962	December 2005	Arganbright et al.
6983421	January 2006	Lahti et al.
6992786	January 2006	Breding et al.
7010512	March 2006	Gillin et al.
7020696	March 2006	Perry et al.
7032110	April 2006	Su et al.
7058817	June 2006	Ellmore
7080036	July 2006	Drummond et al.
7089208	August 2006	Levchin et al.
7089503	August 2006	Bloomquist et al.
7093020	August 2006	McCarty et al.
7117239	October 2006	Hansen
7137006	November 2006	Grandcolas et al.
2001/0011255	August 2001	Asay et al.
2001/0012974	August 2001	Mahaffey
2001/0027474	October 2001	Nachman et al.
2001/0032184	October 2001	Tenembaum
2001/0047295	November 2001	Tenembaum
2001/0051917	December 2001	Bissonette et al.
2001/0054003	December 2001	Chien et al.
2002/0007313	January 2002	Mai et al.
2002/0007460	January 2002	Azuma
2002/0010599	January 2002	Levison
2002/0010668	January 2002	Travis et al.
2002/0018585	February 2002	Kim
2002/0019938	February 2002	Aarons
2002/0023108	February 2002	Daswani et al.
2002/0029269	March 2002	McCarty et al.
2002/0032613	March 2002	Buettgenbach et al.
2002/0032650	March 2002	Hauser et al.
2002/0059141	May 2002	Davies et al.
2002/0077978	June 2002	O'Leary et al.
2002/0087447	July 2002	McDonald et al.
2002/0095443	July 2002	Kovack
2002/0099826	July 2002	Summers et al.
2002/0104006	August 2002	Boate et al.
2002/0104017	August 2002	Stefan
2002/0107788	August 2002	Cunningham
2002/0144135	October 2002	Langford et al.
2002/0152163	October 2002	Bezos et al.
2002/0165949	November 2002	Na
2002/0174010	November 2002	Rice, III
2002/0184507	December 2002	Makower et al.
2002/0188869	December 2002	Patrick
2002/0191548	December 2002	Ylonen et al.
2002/0198806	December 2002	Blagg et al.
2003/0001888	January 2003	Power
2003/0018915	January 2003	Stoll
2003/0023880	January 2003	Edward et al.
2003/0034388	February 2003	Routhenstein et al.
2003/0037131	February 2003	Verma
2003/0037142	February 2003	Munger et al.
2003/0040995	February 2003	Daddario et al.
2003/0046587	March 2003	Bheemarasetti et al.
2003/0046589	March 2003	Gregg
2003/0051026	March 2003	Carter et al.
2003/0055871	March 2003	Roses
2003/0070069	April 2003	Belapurkar et al.
2003/0070084	April 2003	Satomaa et al.
2003/0074580	April 2003	Knouse et al.
2003/0079147	April 2003	Hsieh et al.
2003/0084345	May 2003	Bjornestad et al.
2003/0084647	May 2003	Smith et al.
2003/0088552	May 2003	Bennett et al.
2003/0105981	June 2003	Miller et al.
2003/0110399	June 2003	Rail
2003/0115160	June 2003	Nowlin et al.
2003/0119642	June 2003	Gates et al.
2003/0154403	August 2003	Keinsley et al.
2003/0159072	August 2003	Bellinger et al.
2003/0163700	August 2003	Paatero
2003/0163733	August 2003	Barriga-Caceres et al.
2003/0177067	September 2003	Cowell et al.
2003/0182586	September 2003	Numano
2003/0191549	October 2003	Otsuka et al.
2004/0031856	February 2004	Atsmon et al.
2004/0039692	February 2004	Shields et al.
2004/0049702	March 2004	Subramaniam et al.
2004/0068559	April 2004	Shaw
2004/0117409	June 2004	Scahill et al.
2004/0128169	July 2004	Lusen
2004/0148259	July 2004	Reiners et al.
2005/0080747	April 2005	Anderson et al.
2005/0082362	April 2005	Anderson et al.
2005/0086160	April 2005	Wong et al.
2005/0086177	April 2005	Anderson et al.
2005/0120180	June 2005	Schornbach et al.
2005/0278641	December 2005	Mansour et al.

Foreign Patent Documents


2430549	Jun 2002	CA
19731293	Jan 1999	DE
0855659	Jul 1998	EP
0884877	Dec 1998	EP
0917119	May 1999	EP
1014318	Jun 2000	EP
1022664	Jul 2000	EP
1056043	Nov 2000	EP
1089516	Apr 2001	EP
01088659	Nov 2001	EP
H10-187467	Jul 1998	JP
200324329	Nov 2000	JP
2001134672	May 2001	JP
2005-242976	Sep 2005	JP
97/43736	Nov 1997	WO
99/40507	Aug 1999	WO
99/52051	Oct 1999	WO
00/68858	Nov 2000	WO
01/18656	Mar 2001	WO
01/35355	May 2001	WO
01/43084	Jun 2001	WO
02/17082	Feb 2002	WO
2004/079603	Sep 2004	WO

Other References

Echarge, Echarge Corporation, www.echarge.com, Dec. 3, 1999. cited by other .
Summary of the At Your Request Architecture, First USA Bank Confidential and Proprietary, Apr. 2, 1999, pp. 1-8. cited by other .
Siebel; Siebel: Ensuring Customer Success, www.siebel.com, Nov. 17, 1999. cited by other .
OMG; Welcome to OMG's Corba for Beginners Page!, www.omg.co, May 25, 1999. cited by other .
Sun Microsystems, Inc.; Schema for Representing Corba Objects in an LDAP Directory, May 21, 1999, pp. 1-9. cited by other .
OMG; Library, www.omg.com, May 25, 1999. cited by other .
OMG; What is Corba?, www.omg.com, May 25, 1999. cited by other .
Anonymous; Overview of Corba, May 25, 1999. cited by other .
Anonymous; Corba Overview, Arch2.HTM At Pent21.Infosys.Tuwien.AC.AT, May 25, 1999. cited by other .
Java; Java (.TM.) Technology in the Real World, Java.Sun.com, May 21, 1999. cited by other .
Java; Java(.TM.) Servlet Api, Java.Sun.com, May 21, 1999. cited by other .
Java; Staying in Touch With JNDI, Java.Sun.com, May 21, 1999. cited by other .
Java; Java(.TM.) Remote Method Invocation (RMI) Interface, Java.Sun.com, May 32, 1999. cited by other .
Java; Banking on Java(.TM.) Technology, Java.Sun.com, May 21, 1999. cited by other .
Applets, Java.Sun.com, May 21, 1999. cited by other .
Java; The JDBC(.TM.) Data Access Api, Java.Sun.com, May 21, 1999. cited by other .
Thomas; Enterprise Javabeans(.TM.) Technology: Server Component Model for the Java(.TM.) Platform, Java.Sun.com, May 2, 1999. cited by other .
Getting Smart With Java: Sun Micro Says American Express to Use Java for Smart Card, ABCnews.com, printed on Jun. 6, 2000. cited by other .
Bank; Cash, Check,Charge--What's Next?, Seattle Times, Mar 6, 1995. cited by other .
Vandenengel; Cards on the Internet: Advertising on a $3 Bill, Industry Intelligence, Feb. 1, 1995, pp. 46-48. cited by other .
Strassel; Dutch Software Concern Experiments With Electronic `Cash` in Cyberspace, The Wall Street Journal, Apr. 17, 1995. cited by other .
Kutler; Cash Card Creator Looking Beyond Mondex, Feb. 9, 1995. cited by other .
Post; E-Cash: Can't Live With it, Can't Live Without it, The American Lawyer, Mar. 1, 1995, pp. 116-117. cited by other .
Mitchell; Cyberspace: Crafting Softwarea, Business Week, Feb. 27, 1999, pp. 78-86. cited by other .
Kutler; A Different Drummer on the Data Highway, American Banker, Section: No. 91, vol. 160, May 12, 1995, p. 14. cited by other .
Epper; A Player Goes After Big Bucks in Cyberspace, American Banker, vol. 160, No. 86, ISSN: 0002-7561, May 5, 1995, p. 17. cited by other .
Barnham; Network Brings Together Producers and Companies, Document ID: 17347. cited by other .
Houlder; OFT Gives the Individual Top Priority: Report Calls for Deregulation of Business Lending, Doucment ID: 91716, Jun. 8, 1994. cited by other .
Maize; Fannie Mae on the Web, Doucment ID: 52079, May 8, 1995. cited by other .
Knowles; Improved Internet Security Enabling On-Line Commerce, PCWeek, vol. 12, No. 11, ISSN: 0740-1604, Mar. 20, 1995. cited by other .
Anonymous: Aversion Therapy: Banks Overcoming Fear of the Net to Develop Safe Internet-Based Payment System w/Netscape Communicator, Network World, ISSN: 0887-7661, Dec. 12, 1994. cited by other .
Clark; Microsoft, Visa to Jointly Develop PC Electronic-Shopping Software, The Wall Street Journal, Nov. 9, 1994 WSJ B9. cited by other .
Hewlett-Packard Company; Understanding Product Data Management, Hewlett-Packard Company. cited by other .
Getting Started: Specific GE TPN Post Service Use Guidelines, Printed on Apr. 26, 1999. cited by other .
Resource Center: Consolidated Edison Selects GE TPN Post, Printed Apr. 26, 1999. cited by other .
Thomas Publishing Company; Thomasnet, Apr. 26, 1999. cited by other .
Thomas Publishing Company; Solusource: For Engineers by Engineers, Thomas Publishing Company, Apr. 26, 1999. cited by other .
Harris; Harris Infosource, Printed on Apr. 26, 1999. cited by other .
Welcome to Muse, Apr. 26, 1999. cited by other .
Product Data Integration Technologies, Inc., Step Integratin Authors, Printed on Apr. 26, 1999. cited by other .
SBA: Pro-Net, U.S. Small Business Administration Procurement Marketing and Access Network, Last Modified: Apr. 1, 1999. cited by other .
Freemarkets, Printed on Apr. 26, 1999. cited by other .
At Your Request, www.wingspanbank.com, Sep. 28, 1999. cited by other .
Meredith; Internet Bank Moves Closer to Virtual Reality, USA Today, May 5, 1995. cited by other .
Sirbu, et al; Netbill: An Internet Commerce System Optimized for Network Delivered Services, Printed on Feb. 27, 1995. cited by other .
The Check is in the Email, Information Today, vol. 12, No. 3, ISSN: 8755-6286, Mar. 1995. cited by other .
The Gale Group; G&D America's Multi-Application Smart Card Selected for Combined Payroll and `Virtual Banking` Program in Mexico, Business Wire, Apr. 24, 1998, P241047. cited by other .
Mitchell; Netlink Goes After an Unbanked Niche, Card Technology, ISSN: 1093-1279, Sep. 1999, p. 22. cited by other .
Berry et al.; A Potent New Tool for Selling Database, Business Week, Cover Story, Sep. 5, 1994, pp. 56-62. cited by other .
Shibata; Seventh International Conference on Parallel and Distributed Systems: Workshops, IEEE Computer Society, Jul. 4-7, 2000. cited by other .
Jakobsson et al.; Secure and Lightweight Advertising on the Web, Computer Networks, 31 (1999) 1101-1109. cited by other .
Fujimura et al.; XML Voucher: Generic Voucher Language, Feb. 2003. cited by other .
Jepsen; Soap Cleans Up Interoperability Problems on the Web, IT PTO, Jan./Feb. 2001. cited by other .
Chester; Cross-Platform Integration With XML and Soap, IT PTO Sep. 10, 2001. cited by other .
Friedman; Dictionary of Business Terms, Barron's Third Edition, Copyright 2000. cited by other .
Consortium Created to Manage Common Electronic Purse Specifications, http://www.visa.com/av/news/prmisc051199.vhtml, Printed Feb. 23, 2001. cited by other .
Smartaxis, How it Works, http://www.smartaxis.co.uk/seller/howitworks.html, Printed on Feb. 23, 2001. cited by other .
Bechtel Construction Operations Incorporated Standardizes on Primavera's Expedition Contract Management Software, Business Wire, Jul. 27, 1999. cited by other .
Primavera and Purchasepro.com to Create E-Commerce Marketplace for Construction Industry, Primavera Ships P3, Version 3.0, www.purchasepro.com/, Sep. 21, 1999, pp. 1-3. cited by other .
Primavera Systems, Inc.--How the World Manages Projects, Expedition Contract Control Software, www.primavera.com, Jun. 23, 2005. cited by other .
Civitello Jr.; Construction Operations Manual of Policies and Procedures, Third Edition, 2000. cited by other .
Harris; Planning Using Primavera Project Planner P3 Version 3.0, User Guide Copyright 1999 by Eastwood Harry Pty Ltd., 1999. cited by other .
Ritz; Total Construction Project Management, McGraw-Hill, 1994. cited by other .
Marchman; Construction Scheduling With Primavera Project Planner, May 25, 1999. cited by other .
Associates National Bank (DE) Credit Card, The Associates, www.theassociates.com/consumer/credit.sub.--cards/main.html , Apr. 6, 1999, 6 Pages. cited by other .
Temporary Global Passwords, IBM Corporation, IBM TDB V36, N3, Mar. 1993, Order 93A 60636, Mar. 1, 1993, pp. 451-454. cited by other .
Method of Protecting Data on a Personal Computer, IBM Corporation, TDB Nov. 1985, Order 85A 62426, Nov. 1, 1995, p. 2530. cited by other .
Safe Single-Sign-on Protocol With Minimal Password Exposure No Decryption and Technology Adaptivity, IBM Corporation, TDB Mar. 1995, Order 95A, Mar. 1, 1995, pp. 245-248. cited by other .
Servlet/Applet/HTML Authentication Process With Single Sign-on, IBM Corporation, IBM Order: 00A6004, Jan. 1, 2000. cited by other .
Johnston; Pondering Passport: Do You Trust Microsoft With Your Data?, www.pcworld.com/resource/printable/article/0.aid,63244,00.asp, Sep. 24, 2001. cited by other .
Kormann; Risks of the Passport Single Signon Protocol, Computer Networks, Elsevier Science Press, vol. 33, Sep. 20, 2003, pp. 51-58. cited by other .
Carden, Philip; The New Face of Single Sign-on, Network Computing, http://www.networkcomputing.com, Printed Dec. 29, 2000, 4 Pages. cited by other .
Marlin; Chasing Document Management, Inform, vol. 13, No. 4, Apr. 1999, p. 76-85. cited by other .
Construction Financing to Build Your Own Home, ISBN: 0962864307, Jul. 1990. cited by other .
Radosevich; Is Work Flow Working?, cnn.com, Apr. 6, 1999 at <http://www.cnn.com/tech/computing/9904/06/workflow/ent.idg, p. 1 of 5, Retrieved From the Internet on Nov. 28, 2005. cited by other .
Omware, Inc., Web Pages, Feb. 2000, Retrieved From http://web.archive.org/web20000226033405/www.omware.com/products.html, Retrieved From the Internet on Nov. 28, 2005. cited by other .
Point for Windows Version 3.X Interface Marketing Guide.PDF. cited by other .
Frank; John N. Frank, Beyond Direct Mail, Credit Card Management, vol. 9, Iss. 5, Aug. 1996, 4PGS. cited by other .
Mary C. Lacity, et al.; Mary C. Lacity, et al., The Information Systems Outsourcing Bandwagon, Sloan Management Review, vol. 35, No. 1, Fall 1993, p. 73-86. cited by other .
Fusaro, Roberta; Builders Moving to Web Tools Computerworld, Nov. 16,1998, vol. 32, No. 46, pp. 51, 53. cited by other .
Owens, David; Facilities Planning & Relocation Rsmeans, 1993, ISBN: 0-87629-281-3. cited by other .
Larsen, Amy; Internet Goes to Work for Builders, Interweek, Nov. 16, 1998, Issue 741. cited by other .
Primavera Systems Delivers Expedition Express,Business Wire, Feb. 23, 1999. cited by other .
Deckmyn, Dominique; San Francisco Manages $45M Project Via Web-Based Service, Computerworld, Aug. 9, 1999, vol. 33, No. 32, p. 14. cited by other .
Seibert, Paul; Facilities Planning & Design for Financial Institutions Bankline Publications, 1996, ISBN: 1-55738-780-X. cited by other .
Mosig, Richard; Software Review: The Construction Project Manager Cost Engineering, Jan. 1996, vol. 38, No. 1, pp. 7-8. cited by other .
Hernandez, Tomas et al.; Software Solutions Building Design & Construction, Nov. 1999, vol. 40, No. 11, pp. 38-40. cited by other .
Taylor; Telecommunications Demand Analysis in Transition, Proceedings of the 31st Hawaii International Conference on System Sciences, vol. 5, Jan. 6-9, 1998, pp. 409-415. cited by other .
Cotts, David; The Facility Management Handbook Second Edition AMACM, 1998, ISBN: 0-8144-030-8. cited by other.

Primary Examiner: Zand; Kambiz
Assistant Examiner: Jackson; Jenise E.
Attorney, Agent or Firm: Lowenstein Sandler PC

Parent Case Text

CROSS-REFERENCE TO RELATED PATENT APPLICATION

This patent application is related to and claims the benefit of Provisional U.S. Patent Application No. 60/487,995 filed Jul. 17, 2003, which application is hereby incorporated by reference in it entirety.

Claims

What is claimed is:

1. A method for allowing a user to temporarily gain access to a privileged account on a computer system to perform a maintenance task, the method being a replacement for a conventional switch user command, comprising: receiving a switch user command login with a user id and an account name as an argument; retrieving a list of privileged account names; determining whether the account name is in a list of privileged account names and diverting the user to the conventional switch user command prompt if the account name is not in the privileged account list; otherwise, determining whether the user id is in a list of user ids having permission to access privileged accounts and allowing access to the account if the user id is in the list of user ids having permission to access privileged accounts; prompting for a reason for accessing the account; recording a reason for accessing the account; notifying a manager of the privileged account of the login; recording keystrokes in a log file while logged into the account; terminating the login; and notifying the manager of the privileged account of the login termination.

2. A method for allowing a user to temporarily gain access to a privileged account on a computer system to perform a maintenance task, the method being a replacement for a conventional switch user command, comprising: receiving a switch user command login with a user id and an account name as an argument; retrieving a list of privileged account names; determining whether the account name is in a list of privileged account names and diverting the user to the conventional switch user command prompt if the account name is not in the privileged account list; otherwise, determining whether the user id belongs to a privileged group located in a group list on the computer system having permission to access privileged accounts; denying access to privileged accounts and notifying the manager if the user id does not belong to the privileged group, otherwise, allowing; prompting for a reason for accessing the account; recording a reason for accessing the account; notifying a manager by email of the access of the privileged account of the switch user login along with the name of a first log file; recording keystrokes in the first log file while logged into the account; recording keystrokes in a duplicate log file while logged into the account; determining whether the first log file was tampered with and if so recording that the first log file was tampered with in the duplicate log file and transmitting the duplicate log file to the manager; terminating the switch user login; and notifying the manager by email of the privileged account of the switch user login termination.

3. A method in accordance with claim 2 further comprising: denying write permission to the log file after the step of terminating the login.

4. A method in accordance with claim 2 further comprising: transmitting the log file to the account manager.

5. A method in accordance with claim 2 further comprising: receiving a password in order to access the privileged account; determining whether the password associated with the user id matches the entered password; and permitting access only if the password associated with the user id matches the entered password.

6. A method in accordance with claim 2 further comprising: notifying the manager of the privileged account if the login is not successful.

7. A method in accordance with claim 2 further comprising: compressing the log file after terminating the login.

8. A method in accordance with claim 2 further comprising: deleting the duplicate log file responsive to a determination that the log file has not been tampered with.

Description

FIELD OF THE INVENTION

This invention relates to the field of limiting access to privileged accounts on computer systems, and, more specifically, to a method for providing controlled access to privileged accounts and sensitive data, wherein any access is reported to management and is fully auditable.

BACKGROUND OF THE INVENTION

Computer security has become a critical issue in today's world. On one hand, enterprises are providing an ever-increasing number of services via computer systems for increasingly sophisticated, real-time transactions. At the same time, hacker break-ins, computer terrorism and employee (or former employee) sabotage is increasing. Thus, there is a tension between the need to keep computer system accessible for changes, upgrades and emergency fixes in order to keep business moving while preventing unauthorized access.

For example, sophisticated transactions involving stocks, bonds, derivatives, futures, etc., and combinations thereof, are executed internationally. These transactions are carried out on one or more secure accounts on one or more computer systems. Such secure accounts include, but are not limited to, trading services, price-feed services and data-feed services. These secured accounts are referred to herein as "Privileged Accounts." It is clear that Privileged Accounts must be secure to prevent tampering, unauthorized acquisition of private data, etc. It is also clear that that Privileged Accounts must have some form of access to keep these accounts up-to-date and operative to prevent financial loss, incorrect or missing data, unconsummated time-sensitive transactions, etc.

Therefore, there is a need in the art for a secure system and method for accessing Privileged Accounts.

SUMMARY OF THE INVENTION

This problem is solved and a technical advance is achieved in the art by a system and method that provides access to Privileged Accounts to users with Privileged Account access permission. The user must enter a reason for access. A message is sent to a Privileged Accounts manager when a user logs into a Privileged Account, which includes the user id, the account, the system and the reason. If the login is successful, all keystrokes are then logged. At the conclusion of the user session, the log file is closed and another message is sent to the Privileged Accounts manager. The log file may be sent to the manager at this time or saved for a batch transfer periodically.

According to an exemplary method of this invention, when a user attempts to log into an account, the account is verified against a list of Privileged Accounts that may be accessed. If the account is in the list, then the user is verified against a Privileged Account group. If the user is in the group, then the user is prompted for a reason for accessing the selected Privileged Account. A message is then sent to an account manager regarding the Privileged Account access, which may, advantageously, includes the user name or ID, the time and date, the Privileged Account being accessed and the reason.

If the login is successful, all key strokes are then recorded in a key log. Advantageously, the key log is duplicated. Further, if tampering is detected in the key log, the session is ended and the duplicate key log is sent to the account manager.

At the conclusion of the user session, the key log is closed and a second message sent to the account manager. This second message may include the key log file. Periodically, the key log files are collected and sent to a location for analysis and storage.

In this manner, security may be maintained on Privileged Accounts while permitting access to users that have permission. Further, management is informed of access to Privileged Accounts when they occur and can review all key strokes made by users.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete understanding of this invention may be obtained from a consideration of this specification taken in conjunction with the drawings, in which:

FIG. 1 is a block diagram of a data network in which an exemplary embodiment of this invention may be implemented;

FIG. 2 is a flow chart of processing according to the exemplary embodiment of this invention;

FIG. 3 is a flow chart of further processing according to the exemplary embodiment of this invention;

FIG. 4 is a screen shot of an email message when a login failed during the processing of FIG. 2;

FIG. 5 is a screen shot of a successful login during the processing of FIG. 2;

FIGS. 6 and 7 are screen shots of email messages that a manger may receive for successful logins during the processing of FIG. 2;

FIG. 8 is a screen shot of an email message that a manger receives when the user tampers with the log file during the processing of FIG. 3;

FIG. 9 is a sample of a log file summary according to an aspect of this invention; and

FIG. 10 is a sample of a log file according to another aspect of this invention.

DETAILED DESCRIPTION

FIG. 1 is a block diagram of an exemplary data network 100 used in effecting data flow and trading of instruments. While this invention is described in terms of a data network used for financial dealings, this invention may be used wherever security is required on a computer system. For example, a server for a web site may employ this invention. Also, a stand-alone system, such as a computer-controlled telephone exchange, may employ this invention. One skilled in the art will appreciate how to implement this invention in widely diverse applications after studying this specification.

Data network 100 comprises, in general, a plurality of users at user level 102 in communication with business layer 104 via data network 106. User level 102 comprises a plurality of user terminals, represented by workstation 110 and personal computer (PC) 112. Workstation 110, PC 112 or both can be used by traders or brokers in the investment community to, for example, obtain information and execute trades. Also illustrated in user layer 102 are workstations 114 and 116 connected to server 118. This server 118 and workstation 114, 116 community may be used, for example, by a brokerage house.

Business layer 104 comprises a plurality of servers, represented by servers 132, 134 and 138. By way of example, servers 132 and 134 comprise data servers connected to data storage components 138 and 140, respectively. Server 136 provides real-time data feeds from, for example, national data markets, international data markets or both. Terminal 138 and terminal 140 comprise command and maintenance terminals, as known in the art. These terminals permit authorized users to access servers 132 and 136, respectively, in order to perform regular maintenance and to fix real-time problems. Server 134, in this exemplary embodiment, provides for remote access from, for example, terminal 148 for maintenance. Data network 106 comprises, in this exemplary embodiment, the Internet. While data network 106 is described in terms of the Internet, any public or private data network may be used. PC 150 and PC 152 are illustrated herein as being connected to data network 106. PC 150 and PC 152 represent remote access terminals for remote administration of server 132, server 134 and server 136. Further, PC 150 and PC 152 represent regional or national management of business layer 104.

In the context of data network 100, business layer 104, and, more specifically, server 132, server 134 and server 136, are the primary users of an exemplary embodiment according to this invention. Server 132, server 134 and server 136 all contain data and transaction information that must remain confidential, proprietary or maintain a constant flow. Each service provided by these servers comprises an account on the server. In terms of this invention, each service provided by server 132, server 134 and server 136 comprises a Privileged Account, which is protected by an exemplary embodiment of this invention.

In the exemplary embodiment of this invention, UNIX is the operating system used in server 132, server 134 and server 136. While this invention is described in terms of the UNIX operating system (and its variants), one skilled in the art will appreciate how to apply the principals of this invention to other operating systems after studying this specification.

In accordance with the exemplary embodiment of this invention, a user at terminal 138 wants to apply a change request ("CR") in order to, for example, fix a known bug. The user logs in as usual and executes the "switchuser" (su) command to a selected Privileged Account in order to access to that Privileged Account. In the prior art, all the user would have to know is the password for "su," and the user can do anything to the account.

According to this invention, an "suwrapper" is placed around the usual UNIX su command. The usual UNIX su command is disabled to access certain accounts. Turning now to FIGS. 2 and 3, a flow chart of processing in accordance with this embodiment of this invention is shown. In input box 202, the user invokes the su command with an account name as an argument. The method according to this invention first retrieves a list of Privileged Accounts that can be accessed by this method in box 204. If, in decision diamond 206, the account is not in the list, then the user is permitted to su into it under the usual UNIX su command in box 210. Processing continues along arrow 212.

If the selected account is in the Privileged Accounts list in decision diamond 214, then the user id is verified against a group list. If the user is not in the privileged group, the user is denied access in box 216 and a system manager is notified in box 218. FIG. 4 is a screen shot of such email to a manager. Information sent to the manager should be satisfactory to trace who tried to log into a Privileged Account, so that person may be dealt with in an appropriate manner.

If the user is in the privileged group as determined at decision diamond 214, then a screen as illustrated in FIG. 5 is displayed to the user. First, at 502 the user is prompted for a reason for the access. The user responds with a reason at 504. Logging in proceeds and the user is asked for the user's password at 506. Using the user's password at 506 prevents the user from knowing other accounts passwords. As is known in the art, the password is then verified and the system displays a warning screen, such as the warning screen at 508. The user is now logged in.

Returning to FIG. 2, an email message is sent to the manager in box 226. Sample email messages are shown in FIGS. 6 and 7. Both email messages include the date, the Privileged Account, the system and the reason. Additionally, the key log file is noted in the email so that the manager may access the file if necessary. Processing proceeds to FIG. 3 in connector 228.

Turning now to FIG. 3, processing continues from FIG. 2 at connector 300. At this point, the user is successfully logged in. The next four operations occur approximately simultaneously, as is known in the art, and are thus presented here in an order that facilitates flowcharting.

Processing continues in the context of the flowchart of FIG. 3 in box 302, where keystrokes are logged to a file. In box 304, keystrokes are logged to a duplicate file. In this manner, if the user attempts to tamper with the log file, the duplicate file is still available for managers to review and take action on.

In decision diamond 306, a determination is made whether the user logged out. If not, then processing moves to decision diamond 308, where a determination is made whether the user tampered with the log file. If the user did not tamper with the log file, then processing loops back to box 302.

If, in decision diamond 306, the user did tamper with the log file, then that fact is recorded in the duplicate log file in box 310. The login is terminated in box 312.

Processing from both the "YES" branch of decision diamond 306 (the user logged out) and box 312 moves to box 314 where the log file is stored. In this exemplary embodiment, the log file is made read-only for security and compressed ("zipped") to preserve space. In box 316, email is again sent to the manager. FIG. 8 illustrates the email received when the user tampered with the log file. The users name is included along with the other data, according to this exemplary embodiment.

At some time 320 (immediately, hourly, daily, etc.), the log file is sent to the manager in box 322. Processing concludes in oval 324.

According to this embodiment of this invention, log files are displayed in two ways. Turning to FIG. 9, a first log file format is shown. This log file format presents a summary of all of the logins on all of the systems that this manager monitors. Generally, this summary presents the name of the system ("HOST"), the time of the login ("LOGIN"), the time of the logout ("LOGOUT"), the user ("WHO"), the reason ("REASON") and any comments. In this manner, the manager can tell at a glance what has happened in the past time period.

Turning now to FIG. 10, a detailed log file is shown. All of the operations performed by the users are shown specifically. In this manner, the manager may trace any tampering, wrong entries, etc., and is able to take appropriate action immediately.

Advantageously, additional protections may be afforded to suwrapper configuration files and audit logs. In accordance with one exemplary embodiment of this invention, the suwrapper script is owned by root and write protected. Furthermore, suwrapper may be programmed such that, if someone attempts to run the script in the debugging mode ("-x" switch), the script immediately exits.

In accordance with other aspects of this invention, configuration files are owned by root and write protected. Log files, while owned by the user, are zipped and write protected when suwrapper exits. Further, all files that support suwrapper may advantageously be protected by the optional layered security tool called "eTrustAC" (previously called SEOS and referenced above).

It is to be understood that the above-described embodiment is merely illustrative of the present invention and that many variations of the above-described embodiment can be devised by one skilled in the art without departing from the scope of the invention. It is therefore intended that such variations be included within the scope of the following claims and their equivalents.

* * * * *